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(54) Title: CONDITIONAL ACCESS SYSTEM AND METHOD FOR PREVENTION OF REPLAY ATTACKS 

(57) Abstract: In a conditional access system, a headend transmits content to one or more receivers in encrypted transport streams. 
The system provides a multi-layer security architecture, rendering the system resistant to key replay attacks; if one layer is circum- 
vented, subsequent layers remain intact. A first layer prevents unencrypted keys from being recorded by shielding the unencrypted 
keys from users and encrypting the path from the receiver's conditional access module to the transport decryption module; a second 
layer prevents a key recorded on one receiver from being played back to the transport decryption module on a second receiver, a third 
layer prevents a user from decrypting transport streams without the encryption module by encrypting the stream a second time prior 
to being passed through any user-accessible memory or processor. Events tables are transmitted with the transport stream, either 
unencrypted for immediate use or encrypted, to prevent unauthorized use. 



CONDITIONAL ACCESS SYSTEM AND METHOD FOR 
PREVENTION OF REPLAY ATTACKS 

5 

BACKGROUND OF THE INVENTION 

10 TECHNICAL FIELD 

The invention relates to security in conditional access systems. More particularly the 
invention relates to a conditional access system that includes a multi-layer cryptographic 
security architecture for prevention of replay attacks. 

15 

TECHNICAL BACKGROUND 
In conditional access systems, such as cable television networks, audio, video, data and 
other forms of content in electronic form may be broadcast as digital transport streams. 
The transport stream originates at the system, headend and is transmitted to and 
20 received by receiver units that display or make use of the transport stream. In order to 
prevent unauthorized use or viewing of the transport stream, the stream may be 
encrypted. In such systems, the receiver is capable of decrypting the transport stream 
prior to viewing or using it. 

25 Typically, the algorithm used to encrypt the transport stream is controlled by an 
encryption key. When decrypting the transport stream at the receiver end, the receiver 
must have the key. As a security measure, the key is periodically changed. Because the 
key is changed on a regular basis, there can be multiple keys required to decrypt the 
transport stream. The keys are then encrypted and broadcast within the transport 

30 stream. 

Generally, within the receiver unit of a conditional access system, a Transport Reception 
Module (TRM) is operative to receive the transport stream transmitted from the 
headend. Furthermore, a Conditional Access Module (CAM) decides whether or not to 
35 decrypt the stream, based on services purchased by the user. If the CAM allows the 
user to view or otherwise use the transport stream, it decrypts the keys and provides 
them to the Transport Decryption Module (TDM) for use in decrypting the transport 
stream. Thus, the TDM is operative to decrypt the transport stream, using the 
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decrypted keys supplied by the CAM. Following decryption, the decrypted stream is 
displayed to the user on a display module. 

Often, encrypted transport streams are recorded by the receiver and stored for future 
5 use. Furthermore, current conditional access systems are subject to replay attacks, 
particularly key replay attacks, in which unencrypted decryption information is intercepted 
and recorded as it is being passed to a TDM, Subsequently, the recorded decryption 
information may then be used at a later time to gain unauthorized access to the 
encrypted transport streams. For example, User A and User B both record a transport 
10 stream containing a particular audio/video stream, such as a movie. User A purchases 
the service; therefore the CAM in A's receiver will provide keys to use in decrypting the 
transport stream. User A can record the keys provided by the CAM as they are being 
passed to the TDM, and send them to User B. Thus, User B is able to decrypt the 
stream using the keys provided by A, viewing or using the stream without purchasing it. 

15 

A. Wasilewski, H. Pinder, G. Akins, M. Palgon, Conditional access system, U.S. Patent 
No. 6,157,719 (December 5, 2000) and R. Banker, G. Akins, Preventing replay attacks 
on digital information distributed by network service providers, U.S. Patent No 
6,005,938 (December 21,1999) provide techniques for preventing replay attacks on 

20 digital information distributed by network services. At the beginning of a subscription 
period for a service, a network service provider sends entitlement messages to the 
subscriber that provide the subscriber with a session key and authorization information, 
specifying a service and a period of time. When an encrypted service instance is 
distributed, it is accompanied by entitled control messages. The subscriber equipment 

25 that decrypts the service instance does so only if the time specifier in the entitlement 
control message specifies a time period specified by the authorization information. 
While the disclosed technique certainly complicates replay attacks by introducing a time 
element absent in conventional methods, it does not prevent them. In particular, it does 
not prevent recording and replaying of generated control words or instance keys. 

30 

S. Ooi, Decryptor, U.S. Patent No. 5,790,666 (August 4, 1998) describes a decryptor 
within a receiver unit of a conditional access system that includes a descrambler for 
descrambling signals scrambled at the headend using a pseudo-random noise 
generator. At the receiver, a pseudo-random noise generator is induced to change its 
35 state, through the provision of a scramble key, so that it generates pseudo-random 
noise signals that descramble the scrambled signal. The encrypted scramble key is 
transmitted from the headend and decrypted at the receiver after a cascade of conditions 
is satisfied. The decryptor, as described, provides a robust, multi-layer security 
apparatus for a conditional access system. Nevertheless, it suffers a vulnerability to 
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replay attacks common to many conditional access systems. The scramble key, when it 
has been decrypted, may be intercepted and recorded as it is passed to the 
descrambler. Subsequently, the recorded key may be replayed, either on the same 
receiver, or different receivers, creating the possibility of pirating and unauthorized use of 
5 the signal. 

Accordingly, there exists a need for a way of preventing replay attacks in conditional 
access systems. It would be desirable to provide protection in multiple layers, so that if 
one layer is compromised, the other layers remain intact. 

10 



SUMMARY OF THE INVENTION 

15 In a conditional access system, a headend transmits content to one or more receivers a,s 
encrypted transport streams. The system includes a multi-layer security architecture that 
renders the system highly resistant to key replay attacks at the receiver. Thus, if one 
layer is circumvented, the other layers remain intact. A first layer prevents unencrypted 
keys from being recorded by shielding the unencrypted keys from users and encrypting 

20 the path from the receiver's conditional access module (CAM) to the transport 
decryption module (TDM); a second layer prevents a key recorded on one receiver 
from being played back to the transport decryption module on a second receiver; and a 
third layer prevents a user from decrypting transport streams without the encryption 
module by encrypting the stream a second time prior to being passed through any 

25 user-accessible memory or processor. 

The multi-layer security architecture is achieved by means of . a series of cryptographic 
procedures between the headend and the various components of the receiver. First is a 
procedure for pairing the transport components with the CAM in which a random secret 
30 generated at the headend is encrypted and transmitted to the transport reception 
module (TRM), the TDM and the CAM. Each of the three components decrypts the 
secret and stores it for future use. Second is a transport stream recording procedure that 
requires a local key, specific to the receiver, generated by the CAM. Third is a 
procedure for decrypting and replaying the transport stream, also requiring the local key. 

35 

An event table for an MPEG stream is constructed in advance of the user purchasing 
rights to use the stream. In one embodiment, the event table is transmitted 
unencrypted, along with the corresponding stream, so that the receiver may access the 
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table without decrypting the stream. In an alternative embodiment, the event table is 
encrypted to prevent unauthorized use. 



5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 provides a block diagram of a conditional access system that is resistant to 
replay attacks, according to the invention. 

10 

DETAILED DESCRIPTION 

The invention provides a conditional access system that is resistant to playback attacks. 
The invention is also embodied as a cryptographic method for rendering a conditional 
1 5 access system resistant to replay attacks, particularly key replay attacks. 

Referring now to Figure 1 , shown is a conditional access system that includes a headend 
11 and a receiver 12. In actual fact, the system includes a plurality of substantially 
identical receivers, but the invention is described herein in terms of one receiver. The 

20 receiver includes a transport reception module (TRM) 15 for receiving a transport stream 
14 from the headend, and saving it to storage component 17. As Figure 1 shows, the 
transport stream 14 is encrypted by an encryptor 20 prior to transmission. Further, the 
receiver includes a transport decryption module (TDM) 16 that retrieves the transport 
stream from storage components 17 and decrypts it when access rights to the steam 

25 have been purchased by an end user. Additionally, the receiver includes a conditional 
access module (CAM) 18 that is operative to decide whether or not to decrypt the 
stream, based on the serves that the user has purchased. If the CAM allows the user to 
view or use the transport stream, it decrypts the key required to decrypt the transport 
stream and provides them to the TDM. The conditional access system 10 incorporates 

30 a multi-layer security architecture that prevents key replay attacks at the receiver 1 2. The 
novel security architecture relies on conventional encryption technology, applied in a new 
and unique way. The multi-layer security architecture, based on public key encryption is 
implemented in a series of cryptographic procedures, described in greater detail below. 

35 By providing multiple layers of security, if one security layer is circumvented, the other 
layers remain intact, thus providing a much higher degree of protection against replay 
attacks than is conventionally possible. 
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A first security layer is provided to prevent keys from being recorded from the CAM 
18. This is accomplished by never exposing unencrypted keys to the end user or any 
user programmable processor within the system, or storing them within any user- 
accessible memory within the system. Furthermore, the communication path between 
5 the CAM and the TDM is encrypted. 

If, for some reason, the first layer were to fail, and the user were to gain access to the 
keys, a second layer prevents the keys from being played back to a TDM on another 
receiver by ensuring that the TDM will not accept the key without it being transformed in 

10 a way that is unique to a particular receiver. Thus, a local key is required that is derived 
from the decryption key provided by the headend. In the current invention, the CAM 
provides the functionality required to generate local keys. It should be noted that the 
degree of security provided by this layer is in direct proportion to the degree of difficulty 
a cracker would encounter in transforming one receiver's key into a key required by a 

1 5 second receiver. 

A third layer of security prevents a user from intercepting the transport stream and 
decrypting it without the TDM. This is accomplished by never exposing the transport 
stream to the user. Before passing the stream through any user-programmable 
20 processor or user-accessible memory, the transport stream must be encrypted a 
second time. The security of the doubly-encrypted stream is further enhanced by 
providing an encryption mechanism that produces an encrypted stream that is particular 
to the receiver, rendering it useless on another receiver. 

25 IMPLEMENTATION 

The multi-layer security architecture is implemented as a series of cryptographic 
procedures, described in detail in Tables 1 -3, below. 

As shown in Figure 1 , 
30 The headend 1 1 has: 

• a Global Secret Key: GSK; 

• a Headend Private Key; 

• receiver's Transport Public Key; and 

• Receiver's CAM Public Key. 

35 

The TRM 15 has: 

• Transport Private Key; and 

• Headend Public Key. 

40 Likewise, the TDM 1 6 also has: 

• Transport Private Key; and 
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• Headend Public Key 



The CAM 18 has: 

CAM Private Key; 
Headend Public key; 
Global Secret Key; and 
CAM Secret Key. 



Table 1: CAM to TRM/TDM Pairing Procedure 
Headend generates random secret: S 

Headend cryptographically signs S using Headend Public Key: HPK(S). 
Headend encrypts S,HPK(S) using Transport Public Key: TPK(S,HPK(S)). 
Headend encrypts S,HPK(S) using CAM Public Key: CPK(S,HPK(S)). 
Headend transmits (TPK(S,HPK(S)) and CPK(S,HPK(S)) to TRM. 
TRM decrypts TPK(S,HPK(S)) using Transport Private Key; S,HPK(S). 
TRM verifies signature of HPK(S) using Headend Public Key. If signature is 
invalid, processing stops here. 
TRM stores shared secret, S, for later use. 
TRM passes TPK(S,HPK(S)) to TDM. 

TDM decrypts TPK(S,HPK(S)) using Transport Private Key; S,HPK(S). 

TDM verifies signature of HPK(S) using Headend Public Key. If signature is 

invalid, processing stops here. 

TDM store shared secret, S, for future use. 

TRM passes CPK(S,HPK(S)) to CAM. 

CAM decrypts CPK(S,HPK(S)) using CAM Private Key: S,HPK(S). 

CAM verifies signature of HPK(S) using Headend Public Key. If signature is 

invalid, processing stops here. 

CAM stores shared secret, S, for future use. 



Thus, as described in Table 1 , above, a random secret is generated by the headend. 
As Figure 1 shows, the random secret is generated at the headend 1 1 by a pseudo- 
random number generator 1 9. However, other equally suitable methods of generating 
the secret will be apparent to those skilled in the art. The general direction of the 

15 encrypted signal is shown by arrow 13. Thus, encrypted decryption keys, encrypted, 
signed secrets, and the encrypted transport stream itself traverse this same path from 
the headend to the receiver. The encrypted keys and secrets may be provided at the 
same time as the transport stream, either embedded in the stream, or as a separate 
stream, or they may be provided separately from the transport stream. Upon being 

20 received from the headend, the TRM, the TDM and the CAM all receive the encrypted 
secret. They decrypt the secret, verify the signature and store the secret for future use. 
As described below, the shared secret is necessary for the generation and utilization of 
the local key, which is required for recording and decrypting the transport stream. 



25 Table 2: Transport Stream Recording Procedure 

1 . Headend generates an encryption Key: K. 

2. Headend encrypts key using Global Secret Key: GSK(K). 

3. Headend transmits GSK(K) to TRM. 



1. 
2. 
3. 
4. 
5. 
6. 
7. 

8. 
9. 
10. 
11. 

12. 
13. 
14. 
15. 
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4. Headend encrypts transport stream using K: K(TS). 

5. TRM sends GSK(K) to CAM. 

6. CAM generates Local Key by encrypting GSK(K) using CAM Secret Key: 
LK=CSK(GSK(K)). 

7. CAM encrypts LK using shared secret, S: S(LK). 

8. CAM sends S(LK) to TRM. 

9. TRM decrypts S(LK) using shared secret, S: LK. 

1 0. Headend transmits K(TS) to TRM. 

1 1 . TRM further encrypts K(TS) using LK: LK(K(TS)). 

1 2. . TRM stores GSK(K) and LK(K(TS)) on a storage medium. 



As Table 2 describes, the encrypted decryption key is transmitted from the headend. 
The CAM transforms the decryption key using the CAM secret key, and the shared 
5 secret, S, both unique to that particular receiver, rendering the decryption key useless on 
any other receiver. The local secret is transmitted to the TRM from the CAM. Prior to 
being stored, in storage component 17, the encrypted transport stream is encrypted a 
second time, using the local key, effectively rendering the transport stream inaccessible. 
It should be mentioned that the storage component may consist of a memory or a mass 
1 0 storage device. The mass storage device may be a fixed drive such as a disk drive, or it 
may be a removable storage medium, such as a DVD. 

Table 3: Transport Stream Playback Procedure 
1 TDM retrieves GSK(K) and LK(K(TS)) from storage medium. 
2. TDM sends GSK(K) to CAM « A n e * 

3 CAM generates Local Key by encrypting GSK(K) using CAM Secret Key: 
LK=CSK(GSK(K)). 

4. CAM decrypts GSK(K) using GSK: K. 

5. CAM encrypts K, LK using shared secret, S: S(K,LK). 

6. CAM sends S(K,LK) to Transport. 

7 TDM decrypts S(K,LK) using shared secret, S:K,LK. 
8^ TDM decrypts LK(K(TS)) using LK: K(TS). 

9. TDM decrypts K(TS) using K: TS. 

1 0. TDM sends Transport Stream, TS, to display module 

As Table 3 describes, the TDM retrieves the doubly encrypted transport stream from 
15 the storage component 17, along with the decryption key. The decryption key is 
transmitted to the CAM, whereupon it is transformed into a local key, using shared 
secret, S and the CAM secret key. Prior to display, the transport stream must be 
decrypted twice. The first time using the local key, and the second time using the 
decryption key provided by the headend. Thus, h the form it is retrieved from the 
20 storage component, the transport stream is useless, except on that particular receiver. 

The invention is applicable in any type of subscription-based or conditional access 
network environment, in which a network service provider distributes digital information to 
users of the network. Typically, the network will be a publicly-accessible 
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telecommunications network such as a cable television network or the Internet. 
Furthermore, the network connection may be wired or wireless. Depending on the 
network and the nature of the content provided, the receiver may constitute a set-top 
box or a personal computer. The nature of the content is highly-variable; the invention is 
5 equally applicable to television programming, movies, pay-per-view sports events, 
digital music, digitized images, information products in digital format or software. Other 
network environments, hardware platforms and areas of application consistent with the 
spirit and scope of the invention will be apparent to those skilled in the art. 



MPEG is an industry standard for compressing, multiplexing, and transmitting digital 
video and audio. An MPEG stream is composed of a sequence of data bytes. These 
bytes can be logically grouped together to form a single element within an MPEG 
1 5 stream. For example, a single element within an MPEG stream might represent a single 
frame of video within a movie. 

The MPEG standard defines byte sequences that indicate the start of an element within 
an MPEG stream; such byte sequences are commonly referred to as "start codes." 
20 Some common examples of MPEG start codes are: 

• Video Packetized Elementary Stream Header; 

• Video Group of Pictures Header; 

• Video I Frame Header; 

• Video P Frame Header; 
25 • Video B Frame Header; 

• Video Slice Header; and 

• Audio Packetized Elementary Stream Header. 



It is often useful or necessary to build an Event Table that indicates the location of start 
30 codes within an MPEG stream. This table is composed of a list of offsets into the 
MPEG stream. The offsets listed in the table correspond to location in the MPEG 
stream that contain start codes. 

The Event table may contain additional information, as well. For example, it is often 
35 useful to describe what type of start code is located at each offset. Using the Event 
Table allows a playback device to quickly locate a particular element within an MPEG 
stream. For example, one method of quickly scanning through video (fast forward) is to 
play only a subset of the video frames contained within the stream. The Event Table 
can be used to quickly locate those frames that need to be displayed. 
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One application where it is useful to build such a table is on a device designed to 
receive, store and play back MPEG stream transmissions. Since MPEG streams are 
often encrypted before transmission to prevent unauthorized use, it is desirable to store 
5 the MPEG stream at the receiver in its encrypted from prior to purchase, in order to 
prevent unauthorized use. Typically, the stream is not decrypted until the rights to use or 
view the stream are purchased. Conventionally, the event table cannot be built until the 
MPEG stream is decrypted. Building the event table can be a time consuming process. 
Accordingly, this can impose a significant time delay between the time that the rights to 
1 0 use the stream are purchased and the time that the Event Table is created and available 
for use. 

In order to make the Event Table available immediately, an embodiment of the 
invention is provided in which the Event Table is created prior to transmission of the 
1 5 stream. A first alternative is to transmit the Event Table along with the associated MPEG 
stream, so that the receiver has access to the Event Table without decrypting the 
MPEG stream. A second alternative is to encrypt the Event Table itself prior to 
transmission, to protect it from unauthorized use. 

20 Although the invention has been described herein with reference to certain preferred 
embodiments, one skilled in the art will readily appreciate that other applications may be 
substituted without departing from the spirit and scope of the present invention. 
Accordingly, the invention should only be limited by the Claims included below. 
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CLAIMS 



What is claimed is: 

1 . A cryptographic method for rendering a conditional access system resistant to 
10 playback attacks, said system comprising a headend and at least one receiver 

connected to said headend, said method comprising the steps of: 

providing at least a global secret key (GSK), headend public (HPK) and private 

keys, receiver transport public (TPK) and private keys; receiver conditional access 

module (CAM) public (CPK) and private keys and a CAM secret key (CSK); 
15 pairing transport reception and decryption components of the receiver with said 

CAM such that a Transport Reception Module (TRM), a Transport Decryption Module 

TDM) and said CAM all share a secret; 
generating a Local Key (LK); 

recording an encrypted transport stream transmitted from said headend, wherein 
20 the transport stream is further encrypted at said receiver, using LK, so that a doubly- 
encrypted transport stream is stored on a storage medium on said receiver; and 

playing back said transport stream, wherein said transport stream is decrypted 
by said TDM, using LK. 

2. The method of Claim 1, wherein said step of pairing transport reception and 
decryption components of the receiver with said CAM comprises the steps of: 

generating a random secret (S) by said headend; 
signing S by said headend using HPK (HPK(S)); 
encrypting S, HPK(S) by said headend using TPK (TPK(S, HPK(S)); 
encrypting S, HPK(S) by said headend using CPK (CPK(S, HPK(S)); 
transmitting TPK(S, HPK(S) and CPK(S, HPK(S) to TRM by said headend; 
decrypting TPK(S, HPK(S) by TRM using said Transport private key; 
verifying said signature (HPK(S) by TRM using HPK, wherein processing stops 
if said signature is invalid; 

storing S for future use by TRM; 
passing TPK(S, HPK(S) to TDM by TRM; 

decrypting TPK(S, HPK(S) by TDM using said Transport private key; 
verifying said signature (HPK(S) by TDM using HPK, wherein processing stops 
if said signature is invalid; 
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30 



35 



storing S tor future use by TDM; 
passing CPK(S, HPK(S) to CAM by TRM; 
decrypting CPK(S, HPK(S) by CAM using said CAM private key; 
verifying said signature (HPK(S) by CAM using HPK, wherein processing stops 
5 if said signature is invalid; and 

storing S for future use by CAM; 

wherein S is shared by TRM, TDM and CAM. 

3. The method of Claim 2, wherein said step of recording an encrypted transport 
1 0 stream transmitted from said headend comprises the steps of: 

generating an encryption key, K by said headend; 
encrypting K using GSK (GSK(K)); 
transmitting GSK(K) to TRM; 

encrypting a transport stream (TS) by said headend using K (K(TS)); 
1 5 sending GSK(K) to CAM by TRM; . 

generating LK, wherein generating LK comprises: 

encrypting GSK(K) by CAM using CSK (LK=CSK(GSK(L))); 

encrypting LK by CAM using S (S(LK)); 

sending S(LK) to TRM; 
20 decrypting S(LK) by TRM using S 

transmitting K(TS) to TRM by said headend; 

further encrypting K(TS) using LK (LK(K(TS)); and 

storing LK(K(TS) on said storage medium; 

wherein said transport stream is doubly encrypted. 

25 

4. The method of Claim 3, wherein said step of playing back said transport stream 
comprises the steps of: 

retrieving GSK(K) and LK(K(TS) by TDM; 

sending GSK(K) to CAM by TDM; 
30 generating LK by CAM; 

decrypting GSK(K) by CAM suing GSK; 

encrypting K, LK by CAM using S (S(K,LK)); 

sending S(K,LK) to TDM by CAM; 

decrypting S(K, LK) by TDM using S; 
35 decrypting LK(K(TS) by TDM using LK; 

decrypting K(TS) by TDM using K; and 

sending said decrypted transport stream TS to a display module for one of 
display and use by a user. 
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5. The method of Claim 4, wherein multiple layers of security are provided so that if 
one layer is a circumvented, subsequent layers remain intact. 

6. The method of Claim 5, wherein a first layer comprises preventing said user from 
5 accessing unencrypted keys by avoiding exposing said unencrypted keys to user 

accessible and user programmable resources within said receiver. 

7. The method of Claim 6, wherein said first layer further comprises encrypting a 
communication path between said CAM and said TDM. 

10 

8. The method of Claim 5, wherein a second layer comprises preventing keys from 
being played back into said TDM by requiring that keys be first transformed in a manner 
particular to a receiver. 

1 5 9, The method of Claim 8, wherein said transformation comprises encrypting said 
keys by said CAM using LK. 

10. The method of Claim 5, wherein a third layer comprises preventing said user 
from accessing said transport stream. 

20 

11. The method of Claim 10, wherein preventing said user from accessing said 
transport stream comprises doubly encrypting said transport stream prior to storage. 

12. The method of Claim 11, wherein a corresponding Event Table is built for said 
25 transport stream prior to transmission. 

13. The method of Claim 12, wherein said Event Table is transmitted along with said 
transport stream so that said Event Table is available for immediate use by said 
receiver. 

30 

14. The method of Claim 12, wherein said Event Table Is encrypted prior to 
transmission to prevent unauthorized use. 

15. A conditional access system rendered resistant to playback attacks, wherein 
35 multiple layers of security are provided so that if one layer is circumvented, subsequent 

layers remain intact, said system comprising: 

a headend, wherein said headend sources a digital transport stream; 
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at least one receiver connected to said headend for receiving said transport 
stream, said receiver including a Transport Reception Module (TRM), a Transport 
Decryption Module (TDM) and a Conditional Access Module (CAM); 

a global secret key (GSK); 
5 headend public (HPK) and private keys; 

receiver transport public (TPK) and private keys; and 

receiver conditional access module (CAM) public (CPK) and private keys and a 
CAM secret key (CSK), wherein said keys are operative in a plurality of cryptographic 
procedures. 

10 

16. The system of Claim 15, wherein a first layer comprises preventing a user from 
accessing unencrypted keys by avoiding exposing said unencrypted keys to user 
accessible and user programmable resources within said receiver. 

15 17. The system of Claim 16, wherein said first layer further comprises encrypting a 
communication path between said CAM and said TDM. 

18. The system of Claim 16, wherein a second layer comprises preventing keys 
from being played back into said TDM by requiring that keys be first transformed in a 

20 manner particular to a receiver. 

19. The system of Claim 18, wherein said transformation comprises encrypting said 
keys by said CAM using a local key (LK) generated by said CAM. 

25 20. The system of Claim 19, wherein a third layer comprises preventing said user 
from accessing said transport stream. 

21 . The system of Claim 20, wherein preventing said user from accessing said 
transport stream comprises doubly encrypting said transport stream prior to storing said 

30 transport stream locally. 

22. The system of Claim 21, wherein transport reception and decryption 
components of the receiver are paired with said CAM such that said TRM, said TDM 
and said CAM all share a secret, and wherein said pairing is accomplished by: 

35 generating a random secret (S) by said headend; 

signing S by said headend using HPK (HPK(S)); 
encrypting S, HPK(S) by said headend using TPK (TPK(S, HPK(S)); 
encrypting S, HPK(S) by said headend using CPK (CPK(S, HPK(S)); 
transmitting TPK(S, HPK(S) and CPK(S, HPK(S) to TRM by said headend; 

-13- 



decrypting TPK(S, HPK(S) by TRM using said Transport private key; 
verifying said signature (HPK(S) by TRM using HPK, wherein processing stops 
if said signature is invalid; 

storing S for future use by TRM; 
passing TPK(S, HPK(S) to TDM by TRM; 

decrypting TPK(S, HPK(S) by TDM using said Transport private key; 
verifying said signature (HPK(S) by TDM using HPK, wherein processing stops 
if said signature is invalid; 

storing S for future use by TDM; 
passing CPK(S, HPK(S) to CAM by TRM; 
decrypting CPK(S, HPK(S) by CAM using said CAM private key; 
verifying said signature (HPK(S) by CAM using HPK, wherein processing stops 
if said signature is invalid; and 

storing S for future use by CAM; 
wherein S is shared by TRM, TDM and CAM. 

23. The system of Claim 22, wherein an encrypted transport stream transmitted from 
said headend is recorded, wherein the transport stream is further encrypted at said 
receiver, using LK, so that a doubly-encrypted transport stream is stored on a storage 
20 medium on said receiver; 

wherein recording said stream comprises: 
generating an encryption key, K by said headend; 
encrypting K using GSK (GSK(K)); 
transmitting GSK(K) to TRM; 
25 encrypting a transport stream (TS) by said headend using K (K(TS)); 

sending GSK(K) to CAM by TRM; 
generating LK, wherein generating LK comprises: 

encrypting GSK(K) by CAM using CSK (LK=CSK(GSK(L))); 
encrypting LK by CAM using S (S(LK)); 
30 sending S(LK) to TRM; 

decrypting S(LK) by TRM using S 
transmitting K(TS) to TRM by said headend; 
further encrypting K(TS) using LK (LK(K(TS)); and 
storing LK(K(TS) on said storage medium; 
35 wherein said transport stream is doubly encrypted. 

playing back said transport stream, wherein said transport stream is decrypted 
by said TDM, using LK. 
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24. The system of Claim 23, wherein said transport stream is decrypted by said 
TDM, using LK and played back by: 

retrieving GSK(K) and LK(K(TS) by TDM; 

sending GSK(K) to CAM by TDM; 
5 generating LK by CAM; 

decrypting GSK(K) by CAM suing GSK; 

encrypting K, LK by CAM using S (S(K,LK)); 

sending S(K,LK) to TDM by CAM; 

decrypting S(K, LK) by TDM using S; 
10 decrypting LK(K(TS) by TDM using LK; 

decrypting K(TS) by TDM using K; and 

sending said decrypted transport stream TS to a display module for one of 
display and use by said user. 

1 5 25. The system of Claim 1 5, further comprising a corresponding event table for said 
transport stream, wherein said event table is built prior to transmission. 

26. The system of Claim 25, wherein said Event Table is transmitted along with said 
transport stream so that said Event Table is available for immediate use by said 

20 receiver. 

27. The system of Claim 25, wherein said Event Table is encrypted prior to 
transmission to prevent unauthorized use. 

25 28. A method of providing an event table for a corresponding MPEG transport 
stream, wherein said transport stream is transmitted from a headend to at least one 
receiver, said method comprising; 

building said event table prior to transmission of said stream. 

30 29 The method of Claim 28, further comprising the step of: 

transmitting said event table along with said transport stream so that said event 
table is available for immediate use by said receiver. 

30. The method of Claim 29, further comprising the step of: 
35 encrypting said event table prior to transmission so that unauthorized use of said 

event table is prevented. 



-15- 



1/1 



10 



■19 



PRNG 

Headend Private 

GSK 

TPK 

CPK 



Encr y ptor 

— i — 



Stream 



HEADEND 



20 
14 



13 



\l1 



Storag e 



-17 



15 



1 I 

TRM 

Transport Private 
HPK 



n 



16 



TDM 

Transport Private 
HPK 



CAM 

CAM Private 

HPK 

GSK 

CSK 



RECEIVER 



T 



12 



Legend 

CAM Conditional Access Module 

TRM Transport Reception Module 

TDM Transport Decryption Module 

GSK Global Secret Key 

TPK Transport Public Key 

CPK CAM Public Key 

HPK Headend Public Key 

CSK CAM Secret Key 



FIG. 1 



SUBSTITUTE SHEET (RULE 26) 



